High-impact SSRF and request smuggling bugs among flaws addressed in bumper patch cycle
The Apache HTTP Server Project is a collaborative project to develop and maintain an open source software-based HTTP server for modern operating systems including UNIX and Windows. The technology is claimed to be the most popular web server on the internet.
A high-severity vulnerability with a CVSS score of 8.1, CVE-2021-40438, was discovered by the Apache HTTP security team. The security flaw allows a remote attacker to perform SSRF attacks, and stems from insufficient validation of user-supplied input within the mod proxy module.
Sending a specially crafted HTTP request with a chosen uri-path could trick the web server into initiating requests to arbitrary systems. This would allow the attacker to gain access to sensitive data in the local network or send malicious requests to other servers.
The flaw allows a crafted method sent through HTTP/2 to bypass validation controls and get forwarded by mod proxy, potentially leading to request splitting or cache poisoning.
Those interested in learning more about Kettle’s HTTP/2 request smuggling research should check out our recent coverage from Black Hat USA.
Patches issued on 16 September resolves these vulnerabilities, along with three others. These include a medium-severity NULL pointer dereference error, a boundary condition in module mod proxy uwsgi that could trigger a denial of service (system crash) condition and a low impact flaw only involving third party modules.
All five flaws are resolved with HTTP Server 2.4.49.
Check out Apache’s release notes for full details, here.